Public
SEC202 - Cross-System Security Validation
Using SAP Solution Manager
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 2Public
Speakers
Las Vegas, Oct 19 - 23
Frank Buchholz
Barcelona, Nov 10 - 12
Birger Toedtmann
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 3Public
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a
purchase decision. This presentation is not subject to your license agreement or any other agreement
with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to
develop or release any functionality mentioned in this presentation. This presentation and SAP's
strategy and possible future developments are subject to change and may be changed by SAP at any
time for any reason without notice. This document is provided without a warranty of any kind, either
express or implied, including but not limited to, the implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly negligent.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 4Public
Abstract
Software security remains a critical topic of interest to all companies and to the information technology
industry.
The security of a specific system thereby also significantly depends on the secure installation and
operation of this system. SAP gained a lot of experience from its support for and engagement with
numerous customers. It uses the resulting best practices not only for further improvements and
enhancements of its support offering but also makes them available as recommendations, services and
tools directly to its customers.
In this presentation you will learn about the self services and tools available for security, centered around
the “Security” section in the EarlyWatch Alert report.
And you will get additional information about the Security Optimization Service and the Configuration
Validation which can be used to analyze the security configuration for single systems as well as for the
complete system landscape.
Finally you will see how to show the results of security reporting in Dashboards and how to trigger Alerts.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 5Public
Agenda
Configuration
Validation
SOS
EWA
Dashboards & Alerts
Best Practices-based Services
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
Security Optimization Service (SOS)
Configuration Validation
Security in Operations
Dashboards & Alerts
Integration with GRC Process Control
Public
Best Practices-based Services
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 7Public
IT Risk & Security Lifecycle - for each single IT organization
Moni- | Inven-
toring | tory
Information
Classification
IT Security
Requirements
Gap analysis
Risk
Assessment
Planning /
Implementation
Develop an implementation plan
covering the missing IT Security
measures according the criticality
of the related risk to be mitigated.
Implement the security measures.
Evaluate the operational risk
resulting from the identified gaps
Report the results of the risk
assessment according the defined
operational IT Risk Management
process.
All systems have to be assigned
to a category of systems according the
criticality of the data/information
stored/processed on the system.
The IT security measures based on
the system classification have to be
aligned with the business
requirements. Compromises might
have to be made on both sides.
Remaining risks have to be
identified and addressed with
respective business owners
Collect and document all
systems maintained/operated.
Monitor changes in processes,
infrastructure and risk situation.
Compare implemented security
measures vs. security requirements
and identify existing gaps.
For each
IT organization
Inventory
AuthenticationProve who you are. Passwords, SSO, Federation.
User ManagementMaintain accounts. Identity Management and more.
AuthorizationsWho’s allowed to do what? Privilege management.
Analysis+ReportingCompany wide consolidation of security settings.
System+Infrastructure SecurityCode security, RFC gateway, network and interfaces.
Investment on authorizations and
user management (“putting locks
on doors”) often endangered by
negligent handling of baseline
security measures (“leaving open
the windows”)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 8Public
IT Risk & Security Lifecycle - for each single IT organization
Moni- | Inven-
toring | tory
Information
Classification
IT Security
Requirements
Gap analysis
Risk
Assessment
Planning /
Implementation
Develop an implementation plan
covering the missing IT Security
measures according the criticality
of the related risk to be mitigated.
Implement the security measures.
Evaluate the operational risk
resulting from the identified gaps
Report the results of the risk
assessment according the defined
operational IT Risk Management
process.
All systems have to be assigned
to a category of systems according the
criticality of the data/information
stored/processed on the system.
The IT security measures based on
the system classification have to be
aligned with the business
requirements. Compromises might
have to be made on both sides.
Remaining risks have to be
identified and addressed with
respective business owners
Collect and document all
systems maintained/operated.
Monitor changes in processes,
infrastructure and risk situation.
Compare implemented security
measures vs. security requirements
and identify existing gaps.
For each
IT organization
Inventory
Analysis+ReportingCompany wide consolidation of security settings.
System+Infrastructure SecurityCode security, RFC gateway, network and interfaces.
Internal and external auditors
are “discovering” these topics
at the moment!
Public
Security Tools and Services
EarlyWatch Alert (EWA) – Security Chapter
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 10Public
The Role of EarlyWatch Alert (EWA) for Security
SAP EarlyWatch Alert (EWA) (see http://service.sap.com/ewa)
SAP EarlyWatch Alert is an important part of making sure that your core
business processes work. It is a tool that monitors the essential
administrative areas of SAP components and keeps you up to date on their
performance and stability. SAP EarlyWatch Alert runs automatically to keep
you informed, so you can react to issues proactively, before they become
critical.
Security in the EarlyWatch Alert:
The EWA Report includes selected information on critical security observations for
SAP Application Server ABAP
SAP Application Server Java
SAP HANA
More detailed and additional information can be found with the help of the Security Optimization
Service (SOS) – either as Guided Self Service (GSS) for AS ABAP or as remote or onsite SOS for
all technologies.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 11Public
EWA Summary
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 12Public
EarlyWatch Alert Chapter “Security”
Overview
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 13Public
EarlyWatch Alert – HANA Security Checks
DATA ADMIN Privilege (1/2)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 14Public
EarlyWatch Alert – HANA Security Checks
DATA ADMIN Privilege (2/2)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 15Public
EarlyWatch Alert – HANA Security Checks
Password Policy – Critical Parameters
If one of these three parameters gets a non-green rating – i.e. there is a severe finding regarding the password
policy enforcement – then additional password complexity parameters are shown for information and
recommendation (see next slide).
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 16Public
EarlyWatch Alert – HANA Security Checks
Password Policy – Additional Parameters
The following list of password complexity parameters, current values and recommendations is shown only, if one
of the three critical password parameters (see previous slide) received a non-green rating.
These optional parameters listed on this slide never trigger an EWA HANA Password Policy entry on their own.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 17Public
EarlyWatch Alert – HANA Security Checks
Audit Trail Settings
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 18Public
EarlyWatch Alert – HANA Security Checks
SQL Trace Level
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 19Public
EarlyWatch Alert Chapter “Security”
Default Passwords of Standard Users
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 20Public
EarlyWatch Alert Chapter “Security”
Control of Automatic User SAP*
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 21Public
EarlyWatch Alert Chapter “Security”
Password Policy (1/3)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 22Public
EarlyWatch Alert Chapter “Security”
Password Policy (2/3)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 23Public
EarlyWatch Alert Chapter “Security”
Password Policy (3/3)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 24Public
EarlyWatch Alert Chapter “Security”
Gateway and Message Server Security
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 25Public
EarlyWatch Alert Chapter “Security”
Gateway Security (1/3)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 26Public
EarlyWatch Alert Chapter “Security”
Gateway Security (2/3)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 27Public
EarlyWatch Alert Chapter “Security”
Gateway Security (3/3)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 28Public
EarlyWatch Alert Chapter “Security”
Message Server Security (1/2)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 29Public
EarlyWatch Alert Chapter “Security”
Message Server Security (2/2)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 30Public
EarlyWatch Alert Chapter “Security”
Users with Critical Authorizations
Public
Security Tools and Services
Security Optimization Service (SOS)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 32Public
Value Proposition
The SAP Security Optimization Service is designed to verify and improve the security of the
SAP systems of customers by identifying potential security issues and giving
recommendations on how to improve the security of the system
Keeping the security and availability of customer SAP solutions high is a tremendous value to
customers businesses - a value delivered by the SAP Security Optimization Service. Analysis
is the key to this value, which is necessary to:
■ Decrease the risk of a system intrusion
■ Ensure the confidentiality of business data
■ Ensure the authenticity of users
■ Substantially reduce the risk of costly downtime due to wrong user interaction
More information can be found under the alias SOS in the SAP Service Market Place
■ http://service.sap.com/sos
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 33Public
SAP Security Optimization Service – Overview
SAP Security Optimization
SAP Security Optimization
Remote ServiceSAP Security Optimization
Self Service
The SAP Solution Manager offers the
possibility to locally execute the SAP
Security Optimization Service
All completely automated checks
in ABAP systems
No additional costs for this service
Broad range of security checks
extending the
Self-Service checks
Performed by experienced service
engineers
Part of CQC service offering
SAP Security Optimization
Onsite Service
Individual range of security
checks, e.g. for the SAP
Enterprise Portal
Performed by specialists
Additional costs for this service
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 34Public
Security Optimization Service
Scope of Remote Service and Self Service
SAP NetWeaver Application Server ABAP Basis administration checkUser management checkSuper users checkPassword checkSpool and printer authorization checkBackground authorization checkBatch input authorization checkTransport control authorization checkRole management authorization checkProfile parameter checkSAP GUI Single Sign-On (SSO) checkCertificate Single Sign-On (SSO) checkExternal authentication check
Types of checks in SOS NW AS ABAP Authorization checks: 116 Non authorization checks: 110 Configuration checks: 66
Other security checks: 44
SAProuterSAProuttab checks
OS access checks
SNC checks
SAP NetWeaver Application Server JavaConfiguration checksSSL checksAdministration checks
SAP Enterprise PortalConfiguration checks
Administration checks
Authorization checks for portal content, user management and administration
Scope of the SOS Self Service
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 35Public
Security Optimization Service (SOS)
Process Flow
In order to determine the
actual risk, the
vulnerabilities are ranked
using a
rating logic
The rating is
based on the severity and
probability of
each vulnerability
A SAP system is
scanned and checked
for critical security
settings
Only white box checks
are executed, no black
box checks (“hacking”)
A report is created
containing the identified
vulnerabilities of the
analyzed SAP system
The report contains
recommendations
to eliminate or reduce the
vulnerabilities found
during the Security
Optimization Service
Security Check Follow-up actions
Rate
The implementation of the
recommended security measures
can be done
By the customer
By SAP security consulting
By certified SAP partners
Scan Report Implement
Managed System Solution Manager
Service Report
Service Center Telephone E-Mail [email protected] Fax
Date of Session 01.04.2006 <dat_dummy> Session No. 0011234567891 Date of Report 02.04.2006 Installation No. 0022222222 Author Ulf Goldschmidt Customer No. 00063790 <Watermark>
SAP Security Optimization
SAP System ID PRD
SAP Component
Release 4.6C
DB System
Customer Sample Customer 2201 C Street NW Washington, DC 20520
SAP AG 2005
How is the Rating Done?
The risk is calculated
as a function of the
severity and the pro-
bablity of a security
incident
Proba-
bility3 HIGH2 MED1 LOW0 NONE
0 LOW0 LOW0 LOW0 LOW0 Very LOW
3 MED2 MED1 LOW0 LOW1 LOW
6 HIGH4 MED2 MED0 LOW2 MED
9 HIGH6 HIGH3 MED0 LOW3 HIGH
RiskSeverity
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 36Public
Questionnaire
The questionnaire is
filled out by the customer
to prepare the service
The questionnaire contains about 25 questions
Specification of known users with critical
authorizations in the questionnaire skips them
from the report.
This helps to keep the report readable and to do
a correct risk analysis.
Customize the look of the report
Selection of the tested clients
R/3 Basis und WebAS ABAP Stack
Security Optimization Service - Questionnaire 4
2.1 Print the User Data (All Checks) Procedure
If you want user data (first name, last name and department of the user) printed in the report, select the field "Print User Data". If you do not select, the field only the user name is printed. When creating the ST14 data the sending of the user data to SAP(first and last name) can also be avoided by a parameter.
Print User Data? Flag
Activate if user data wanted
2.2 Download and Check for Very Weak Passwords (0145) Procedure
If you want your user passwords checked, select the field "Download Encrypted Passwords". In this case we download the encrypted passwords of your users and try a very simple dictionary attack on them. Only the percentage of very weak passwords is stored and reported.
Download passwords? Flag
Activate if pwd check wanted
2.3 User for Remote Access from SAP (0531) Procedure
Enter the name of the user (or one of the users) that you hand over to SAP for logging on to your SAP system.
Client User ID
2.4 User Segregation (0004) Procedure
If you have segregated your users in different user groups, select the field "User Segregation" in the table.
Segregation in Usergroups Flag
Activate checkbox if used
2.5 Super Users (0021) Procedure
List for each client the known super users. These are the users having the profile SAP_ALL. - Please mention the users with user type "dialog", "service", "system" or "communication". - If a super user exists in all clients, you can also insert "ALL" in the field "Client" instead of listing all clients
Client User
Questionnaire
Service Center E-Mail [email protected] Telephone Fax
Date of Session 01.04.2006 <dat_dummy> Session No. 0011234567891 Date of Report 02.04.2006 Installation No. 0022222222 Author Ulf Goldschmidt Customer No. 00063790 <Watermark>
SAP Security Optimization
SAP System ID PRD
SAP Component
Release 4.6C
DB System
Customer Sample Customer 2201 C Street NW Washington, DC 20520
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 37Public
Guided Self-Service for Security OptimizationCreate new Session
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 38Public
Guided Self-Service for Security OptimizationExecute Session
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 39Public
Guided Self-Service for Security OptimizationMaintain Questionnaire
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 40Public
Customer Report: Service Rating
The Security Optimization Self Service
results in a report which contains all
identified findings, enhanced with
corresponding recommendations.
If very critical issues are found, then
the overall SOS rating will be red. In
this case, the chapter “Service Rating”
will list those checks that triggered the
overall red rating.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 41Public
Customer Report: Action Items
The action items list on top of the report gives a
good overview about the complete system status
The action items are created automatically of all
checks rated with high risk.
The list can be individually adapted
We use the red traffic light as “high risk” and the
yellow traffic light as “medium risk”
“Green” results are normally skipped in order to
reduce
the size of the report
All checks have a four-digit identifier which allows to
find the detailed description in the report easily
3 Detected Issues
Security Optimization, Sample Customer, 02.04.2006 7
3 Detected Issues The following list gives you an overview of all checks in the SAP Security Optimization service that are rated with a high risk:
Action Items
*** Special Focus Checks ***
6 Users - Other Than the System Administrators - Are Allowed to Call ST14 ? (0168)
*** Authentication ***
*** Passwords ***
1 Users - Other Than User Administrators - Are Authorized to Change Passwords (0121)
Users with Initial Passwords Who Have Never Logged On (0009)
Users with Reset Password Who Have Not Logged On (0140)
*** General Authentication ***
1 Users - Other Than the User Administrators - Are Authorized to Lock/Unlock Users (0135)
*** User Authorization ***
*** User Management ***
1 Users - Other Than the User Administrators - Are Authorized to Maintain Users (0002)
1 User Administrators Are Authorized to Change Their Own User Master Record (0003)
Users Are Not Assigned to User Groups (0005)
1 Users with Authorizations for User and Role/Profile/Authorization Maintenance (0008)
Usage of 'Normal' Users as Reference Users Is Not Prohibited (0012)
7 Users - Other Than the User Administrators - Are Authorized to Access Tables with User Data (0013)
2 Users - Other Than the User Administrators - Are Authorized to Call Function Modules for User Admin (0019)
*** Super Users ***
1 Unexpected Users Are Authorized to Change a Super User Accounts (0026)
Users with Profile SAP_NEW (0031)
*** Role & Authorization Management ***
1 Users Are Authorized to Maintain Profiles Directly in the Production System (0073)
1 Users Are Authorized to Maintain Authorizations Directly in the Production System (0074)
*** Authorizations ***
5 Users Are Authorized to Delete an Authorization Check Before Transaction Start (0111)
*** Basis Authorization ***
*** Basis Administration ***
1 Users - Other Than the System Administrators - Are Authorized to Maintain System Profiles (0152)
1 Users - Other Than the System Administrators - Are Authorized to Start/Stop Application Servers (0154)
1 Users - Other Than the System Administrators - Are Authorized to Start/Stop Workprocesses (0156)
1 Users - Other Than the System Administrators - Are Authorized to Lock/Unlock Transactions (0157)
1 Users - Other Than the System Administrators - Are Authorized to Maintain Other User's Lock Entries (0159)
1 Users - Other Than the System Administrators - Are Authorized to Delete or Reprocess Broken Updates (0161)
1 Users - Other Than the System Administrators - Are Authorized to Activate a Trace (0163)
System Profiles Are Not Consistent (0153)
*** Spool & Printer ***
3 Detected Issues
Security Optimization, Sample Customer, 02.04.2006 8
Action Items
1 Users - Other Than the Spool Admins - Are Authorized to Display Protected Spool Requests of Other Users (0198)
1 Users - Other Than the Spool Administrators - Are Authorized to Display the TemSe Content (0193)
1 Users - Other Than the Spool Administrators - Are Authorized to Change the Owner of Spool Requests (0194)
1 Users - Other Than the Spool Admins - Are Authorized to Redirect a Print Request to Another Printer (0195)
1 Users - Other Than the Spool Administrators - Are Authorized to Export a Print Request (0196)
*** Background ***
Periodic Background Jobs Scheduled with User of Type Other Than 'SYSTEM' (0211)
8 Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in SM36 (0212)
1 Users - Other Than the Background Administrators - Are Authorized to Schedule Jobs in External Commands (0213)
*** OS Access ***
1 Users - Other Than the System Administrators - Are Authorized to Define External OS Commands (0171)
1 Users - Other Than the System Administrators - Are Authorized to View Content of OS Files with AL11 (0173)
*** Outgoing RFC ***
1 Users - Other Than the System Administrators - Are Authorized to Administer RFC Connections (0255)
7 Users - Other Than the System Administrators - Are Authorized to Access RFC Logon Information (0256)
1 Users - Other Than the System Administrators - Are Authorized to Maintain Trusting Systems (0268)
*** Incoming RFC ***
8 Users - Other Than the Communication Users - Are Authorized to Run any RFC Function (0241)
1 Users - Other Than the Key Users - Are Authorized to Visualize all Tables via RFC (0245)
Unexpected Trusted System Connections Found (0238)
1 Users - Other Than the System Administrators - Are Authorized to Maintain Trusted Systems (0240)
*** Application Link Enabling (ALE) ***
1 Users - Other Than the System Administrators - Allowed to Maintain the Partner Profile (0724)
*** Change Management ***
*** Data & Program Access ***
1 Users - Other Than Key Users - Are Authorized to Display All Tables (0513)
1 Users Are Authorized to Maintain All Tables (0514)
7 Users - Other Than the System Admins - Are Authorized to Change the Authorization Group of Tables (0515)
6 Users Are Authorized to Execute All Function Modules (0520)
*** Change Control ***
System Change Option Not Appropriately Configured in the Production System (0301)
1 Users - Other Than the System Administrators - Are Authorized to Change the Client Change Option (0304)
1 Users - Other Than the System Administrators - Are Authorized to Create New Clients (0305)
1 Users - Other Than the System Administrators - Are Authorized to Delete Clients (0306)
6 Users Are Authorized to Development in the Production System (0307)
1 Users Are Authorized to Perform Customizing in the Production System (0309)
76 Users Are Authorized to Develop Queries in the Production System (0310)
*** Transport Control ***
1 Users - Other Than the System and Transport Admins - are Authorized to Create and Release Transports (0343)
*** SAProuter ***
SAProuter Allows Generic Access to the Customers Servers (0545)
Service Report
Service Center Telephone E-Mail [email protected] Fax
Date of Session 01.04.2006 <dat_dummy> Session No. 0011234567891 Date of Report 02.04.2006 Installation No. 0022222222 Author Ulf Goldschmidt Customer No. 00063790 <Watermark>
SAP Security Optimization
SAP System ID PRD
SAP Component
Release 4.6C
DB System
Customer Sample Customer 2201 C Street NW Washington, DC 20520
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 42Public
Customer Report: Example of an Authorization Check
Information in the checks:
Explanation of the vulnerability
Some “Unexpected” users having this
authorization
The number of unexpected users
A recommendation how
to handle this situation
All checked authorization
objects
6.3.7 Users - Other Than the Spool Administrators - Are Authorized to Print on all Devices (0197)
Output of sensitive data can be sent accidentally to a wrong printer and could be accessed by an unauthorized employee.
Client User Type Last Name First Name Department User Group
300 AARONF A Aaron Frank OFFICE
300 ANTONOVI A Antonov Igor OFFICE
300 AUTUMW A Autum Wallis OFFICE
300 BARCANI A Barcan Ivory OFFICE
300 BLACKBEARDC A Blackbeard Christ OFFICE
300 BLUEBERRYA A Blueberry Agneta OFFICE
300 BLUMBERGH A Blumberg Harald OFFICE
300 BRAUERM A Brauer Michael OFFICE
300 BUSHH A Bush Herbert OFFICE
300 CHESTS A Chest Swetlana OFFICE
300 FERRYB A Ferry Brian OFFICE
300 FERRYG A Ferry Greg OFFICE
300 HENGSTNERJ A Hengstner Joan OFFICE
300 KINGD A King David OFFICE
300 KINGF A King Frank OFFICE
300 LANDISG A Landis George OFFICE
300 ROBERTA A Robert Alexander OFFICE
300 VOLKOVC A Volkov Chris OFFICE
300 WINTERN A Winter Natascha OFFICE
300 XERTAMY A Xertam Yanis OFFICE
300 Count : 0220
Evaluated result:
More than 20% of your users, of at least one client, can print on all devices.
Recommendation:
Use the Profile Generator (PFCG) to correct roles. Use the transactions SU02 (Maintain Profiles) and SU03 (Maintain Authorizations) to correct profiles and authorizations, depending on your environment. You can use the authorization info system (SUIM) to check the results. For this check examine the roles or profiles that include the authorization objects listed below.
Authorization object: Object1: S_SPO_DEV with SPODEVICE = *.
Count: 220
Service Report
Service Center Telephone E-Mail [email protected] Fax
Date of Session 01.04.2006 <dat_dummy> Session No. 0011234567891 Date of Report 02.04.2006 Installation No. 0022222222 Author Ulf Goldschmidt Customer No. 00063790 <Watermark>
SAP Security Optimization
SAP System ID PRD
SAP Component
Release 4.6C
DB System
Customer Sample Customer 2201 C Street NW Washington, DC 20520
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 43Public
Sample Questionnaire and Report
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 44Public
Deriving an Action Plan
Deriving an Action Plan is easy ... in theory.
The SOS report is designed to already contain everything you need for it:
a general introduction
the findings and explanations
risk ratings
recommendations
technical background information
So just go ahead!
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 45Public
Deriving an Action Plan... is not that easy when the report is huge
When the SOS report is huge
working on it as described on the slide before takes a lot of time and resources
... and may even cause that nothing happens at all.
The goal of the SOS however is not to produce a nice report but to have impact and improve
the security of the respective system!
Recommended solution:
Identify „Top Issues“ – including those potentially listed in the “Service Rating” chapter – and solve
them first!
Identify „Systematic Issues“ (e.g. issues with the authorization concept) and trigger a solution
Identify „Quick Wins“ and implement them
Determine the remaining risk and
either address the next set of „Top Issues“
or get agreement, that the achieved level of security looks acceptable until the next scheduled run of
the SOS
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 46Public
How to Identify „Top Issues“
Some Risk Management Basics
Consider external threats
before internal threats
Consider intentional threats
before unintentional threats
Consider the potential of a risk and
go for higher risks first
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 47Public
How to Identify „Top Issues“Candidate „Standard Users with Default Password“
Candidate: „Standard Users with Default Passwords“
Threat: Standard users with default passwords allow anyone, who is able to establish a network
connection to your system, to anonymously enter it and execute code under potentially high
authorizations.
In the SOS report look for section „User Authorization“ – „Standard Users“. Check-ID 0041
Action: Change the password. Use report RSUSR003 to show the critical users locally.
Remark: Look for the other checks in this SOS section as well. They also contain valuable
recommendations to protect your system from this threat!
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 48Public
How to Identify „Top Issues“Candidate „Insufficient Password Policy“
Candidate: „Insufficient Password Policy“
Threat: Weak passwords may give unauthorized people access to potentially powerful accounts. This
risks the confidentiality, integrity and availability of your data.
In the SOS report look for section „Authentication“ – „Passwords“ Check-ID 0123
Action: Carefully review the whole „Password“ section of the SOS. Decide on an appropriate password
policy (if not already defined) and implement it with recommended settings as given suggested in the
SOS report.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 49Public
How to Identify „Top Issues“Candidate „Users with authorization profile SAP_ALL“
Candidate: „Users with authorization profile SAP_ALL“
Threat: Users with SAP_ALL can completely compromise your system – intentionally or unintentionally.
Moreover they can not only circumvent any authorization checks but any auditing as well.
In the SOS report look for section „Special Focus Checks“ – „Additional Super User Accounts Found“
- Check-ID 0022
Action: Avoid SAP_ALL as far as possible and try to restrict it to relevant emergency accounts which are
only used in emergency situations under tight control. Add accepted SAP_ALL accounts to the
questionnaire and closely monitor this section in future SOS runs.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 50Public
How to Identify „Top Issues“Candidate „Users authorized to start all reports“
Candidate: „Users authorized to start all reports“
Threat: These users can start all reports, potentially also bypassing certain S_TCODE checks.
In the SOS report look for section „Change Management“ – „Data & Program Access“
Check-ID 0512
Action: Limit users with this authorization to the unavoidable minimum
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 51Public
How to Identify „Top Issues“Candidate „Users with full authorization for authorization object S_RFC“
Candidate: „Users with full authorizations for authorization object S_RFC“
Threat: These users can be used to call any RFC function from outside the system.
In the SOS report look for section „Basis Authorization“ – „Incoming RFC“ Check-ID 0241
Action: Replace authorizations for S_RFC with RFC_NAME = * with strongly restricted authorizations.
Limit the RFC functions, for which a specific user (group) is authorized to the required set. Use the
Workload Statistics, transaction ST03N, to identify required RFC functions.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 52Public
How to Identify „Top Issues“Candidate „Users authorized to debug / replace“
Candidate: „Users authorized to debug / replace“
Threat: These users can run all programs with debug / replace, e.g. replace an data value or bypass any
authorization check.
In the SOS report look for section „Change Management“ – „Change Control“
Check-ID 0308
Action: Limit users with this authorization to the unavoidable minimum. Authorization for „Debug /
Replace“ (authorization object S_DEVELOP with type DEBUG and activity 02=change) should only be
assigned to emergency users in production systems.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 53Public
How to Identify „Top Issues“Candidate „Users authorized to display all tables“
Candidate: „Users authorized to display all tables“
Threat: These users can view all tables, including technical information as well as any business or
personal data
In the SOS report look for section „Change Management“ – „Data & Program Access“
Check-ID 0513
Action: Limit users with this authorization (authorization object S_TABU_DIS with table group * and
activity 03=display) to the unavoidable minimum. Use authorization object S_TABU_NAM to grant access
to a short list of tables if required.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 54Public
How to Identify „Top Issues“Candidate „Users authorized to maintain all tables“
Candidate: „Users authorized to change all tables“
Threat: These users can change most tables, including technical information as well as any business or
personal data
In the SOS report look for section „Change Management“ – „Data & Program Access“
Check-ID 0514
Action: Limit users with this authorization (authorization object S_TABU_DIS with table group * and
activity 02=change) to the unavoidable minimum. Use authorization object S_TABU_NAM to grant access
to a short list of tables if required.
7.1.3 Users – Other Than Key Users – Are Authorized to Maintain All Tables(0514)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 55Public
How to Identify „Top Issues“Candidate „Users authorized to execute all function modules“
Candidate: „Users authorized to execute all function modules“
Threat: These users can execute any function modules, where several critical function modules do not
contain any further authorization checks.
In the SOS report look for section „Change Management“ – „Data & Program Access“
Check-ID 0520
Action: Limit users with this authorization (authorization object S_DEVELOP with type FUGR and activity
16=execute) to the unavoidable minimum
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 56Public
How to Identify „Top Issues“Candidate „Security Audit Log Deactivated“
Candidate: „Security Audit Log Deactivated“
Threat: If the Security Audit Log is deactivated, security critical events are not recorded and are neither
available for monitoring nor for the follow-up of any security incident.
In the SOS report look for section „Authentication“ – „General Authentication“
Check-ID 0136
Action: Switch on the Security Audit Log in all clients. The Security Audit Log is optimized for performance
and space. So if logging is restricted to critical security violations only, activation of the Security Audit Log
is possible on all systems including production systems.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 57Public
How to Identify „Top Issues“Candidate „System Change Option Not Appropriately Configured“
Candidate: „System Change Option Not Appropriately Configured “
Threat: If the system is set to “modifiable”, then unintended or malicious changes may be possible which
is especially critical for a production system. For production systems this even may endanger the
auditability of the system or lead to critical audit findings.
In the SOS report look for section „Change Management “ – „Change Control “
Check-ID 0301
Action: Set the System Change Option to “not modifiable”
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 58Public
How to Identify „Top Issues“Candidate „RFC destinations with login information“
Candidate: „RFC destinations with login information“
Threat: These RFC destinations allow access to remote systems with stored login information.
Unauthorized usage will compromise the security of the remote system
In the SOS report look for section „Basis Authorization“ – „Outgoing RFC“
Check-ID 0254
Action: For each RFC connection with login information find a responsible persons, who knows about the
need and purpose for this entry. Check the other entries whether they can be removed and remove all
entries, that are not needed any longer. Use Report RSRFCCHK and Workload Statistics, transaction
ST03N, to analyze RFC connectivity.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 59Public
How to Identify „Top Issues“Authorization checks with high numbers of users
Candidate: Authorization checks with high numbers of users
Threat: If a high number of users has a certain critical authorization, misuse of this authorization is more
likely and the ability to audit usage or misuse is diminished.
In the SOS report look for any authorization with a high „Count:“ in any of the clients. A high count
means, there are many users with this authorization, that are not named in the questionnaire.
Action: Limit users with the respective authorization to the unavoidable minimum
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 60Public
Action Definition Template
Name / Identification of the Action
Short summary of the issue
Required Actions
Who By When What
tbd tbd Next Review
Use the standard procedure that works best in your environment for
defining, assigning and tracking actions. This can be issues / top issues
in the Solution Manager, some ticketing system or a manual process
based on Word, PowerPoint, Outlook or something else.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 61Public
Further Information and Contact
Contact address
Public information
SAP Service Marketplace, using alias /SOS
http://service.sap.com/sos
SAP Notes:
Note 696478 - SAP Security Optimization: Preparation & Additional Info
Note 837490 - Execution of the Security Optimization Self-Service
Note 863362 - Security Checks in the SAP EarlyWatch Alert
Related SAP education training opportunities
http://www.sap.com/education
Search for ADM960: Security in SAP system environments
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 62Public
Security Optimization Service: Expert Guided Implementation“Training on the Job” at Its Best
Training, practical experience, remote consulting
Day 1 Day 2 Day 3-5
SAP expert explains step-by-step
configuration using training materials
Execution, 2-3 hours on the same day
Participants have direct access to an
SAP expert who directly supports
them remotely, if necessary, during the
execution
Empowering, Web session, 1-2 hours each morning
Participants execute demonstrated steps
within their own project, on their own
SAP Solution Manager software
Expertise on demand, during execution
More information on available EGI topics
and booking information can be found
here:
https://service.sap.com/expert-guided-implementation
Public
Security Tools and Services
Configuration Validation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 64Public
Change Diagnostics Capabilities
E2E Change AnalysisConfiguration
Validation
System System
..
SAP Solution
Manager
Extraction
Reporting
Configuration Items are stored in one
repository within SAP Solution Manager
Compliance reporting
on configuration items
Change tracking of
configuration items
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 65Public
Typical Questions
Which database parameters
were changed by the 24/7
support team last night?
What was last month
content of the
j2ee/cluster/
instance.properties
file?
Is there one place
where all changes in
the system are listed?What are the
configuration
differences between
server0 and server1?
How many stabilization
transports did we have
after the last GoLive?
How many objects did
we change last month?
How many urgent
corrections did we
import last month?
How many transports
did we import last
month?
Challenges
For a large number of
system
in a complex SAP
landscape
we need to perform a
comparison of the current
configuration status against
a defined target or standard
configuration baselines
with minimum effort and
ASAP
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 66Public
The Diagnostics Core
Diagnostic Infrastructure
Configuration and Change Database
(CCDB)
Solution Tool
Plugins (ST-A/PI)
Diagnostics
AgentsExtractor
Framework once a day
Extractor Framework(EFWK)Hourly
BI Reporting
InfoCube: 0SMD_CA02
E2E Change Analysis II
Change Reporting – Browse CCDB data
E2E Change Analysis – Top-Down View on Changes
Managed System
CCDB data view
ABAP based
installations
Non-ABAP based
installations
Drilldown navigation
2
1
The extraction of the
data is scheduled as
soon as a “Managed
System Configuration”
has been performed for
a system.
Solution Manager
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 67Public
What is a Config Store?
The single configuration details are stored in containers of a
defined type called Configuration Store
There are different types of Configuration Stores depending on the
structure of the data the Configuration Store contains
The most important types are xml, txt, ini, properties (two column
based container: parameter, value), table (more than two column
based container: key1, key2,, value1 , value2 ,) and event (as table
but event-based)
Config Store within the Configuration and Change Database (CCDB)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 68Public
CCDB Administration – Overview
Transaction CCDB
CCDB Infrastructure
Overview showing the relevant jobs and
tasks status
CCDB Statistics
Statistics provide an quick overview via
categories about all Config Stores of all
connected technical (managed) systems
General
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 69Public
Technical Systems provide
E2E Alerting: Managed system raises
alert in case of an error
Manual start of data collection
Link to (EFWK) Administration
Status Grouping
Config Store list with status (error)
categories per technical (managed)
system
CCDB Administration – Technical Systems
Technical Systems
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 70Public
Configuration Validation
Architecture Overview
Configuration and
Change Database
( CCDB )
ABAP based
installations
Solution Tool
Plugins
JAVA based
installations
Diagnostics
AgentsExtractor Framework (EFWK)
Once a day
Solution Manager EHP1
Configuration Validation Reporting
DB Table Target System Maintenance
Virtual
InfoProvider
0SMD_VCA2
Function Module
Configuration Validation
Change Reporting
Copy
Customer defined system
configurations / baselines
Existing system
configurations
Manual maintenance of
copied configuration data
Interactive BI based
Reporting
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 71Public
Content Deliverables – Configuration Items Overview
Application
Kernel
Database
Operating System
Support Package Stack
Software Component Versions
Implemented SAP Notes
Imported ABAP Transports
Software Release Validation
Web AS ABAP Kernel Release
Java VM version
Web AS Java Release
Database Release
Operation System Release
SAP Product specific settings
PI/XI specific configuration
BI specific configuration
BIA specific configuration
ABAP Instance Parameters
Java VM parameters for J2EE
Database Parameters
Operating System Environment Settings
Parameter Validation
Security
Standard Users
Gateway Secinfo
Gateway Reginfo
Critical auth. profiles
Critical authorizations
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 72Public
CCDB Content Overview of an ABAP system
Software Configuration
ABAP Instance Parameter
Database Configuration
Operating System Configuration
Business Warehouse Configuration
RFC Destinations Configuration
System Change Option Configuration
Security Configuration
Critical user authorizations
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 73Public
CCDB Content Overview of a J2EE system
ADOBE DOCUMENT SERVICES
ADS
BOOTSTRAP
DBPOOL
HTTP
ICM
IGS
J2EE
J2EE Engine
J2EE Software
J2EE Transports
JSTARTUP
JVM Parameters
KERNEL
LIBRARY
LOG
LV
OS
SDM
SECURITY
SERVICE
SLD
START Parameters
SAP J2EE ENGINE J2EE ENGINE SERVERCORE
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 74Public
What is Configuration Validation?
The Idea behind Configuration Validation
...
Reference System Compared Systems
ABAP Notes
Software Packages
Transports
Parameters
...
Configuration Items
Configuration
Validation
Configuration Items
ABAP Notes
Software Packages
Transports
Parameters
...
Kernel level
Compliance with
Reference System
Software Packages
ABAP Notes
Transports
System 1 System N
...System 2
...
ABAP Notes
Software Packages
Transports
Parameters
...
Configuration Items
A reporting to understand how homogeneous the configuration of systems is
System 1 System N
All systems on a certain OS level or DB level?
Template configuration (SAP or DB parameter) applied on
all systems?
No kernel older than 6 month on all systems?
Security policy settings applied? Security defaults in place?
Have certain transports arrived in the systems?
Typical questions are:
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 75Public
Configuration Validation
Target System Maintenance
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 76Public
Formatting
Drilldown Instance
Name
Configuration Validation
Drilldown Reporting
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 77Public
Introducing
operators
offers a greater
flexibility to
define a fitting
target system
Rule Based Operators
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 78Public
Operators and Target Systems
In Solution Manager 7.1 all rules are transparent and no rules are hardcoded
Operators available for all types of Config Stores: property, table, text, and xml
Operators comprise the rule used for validation for a Config Item
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 79Public
ABAP/Java Notes – based on System Recommendations
The SAP Notes relevant for the source system can
be restricted via
Data Range
Note Group – for example only Security and
HotNews SAP Notes can be inserted
Option b) all notes based on System Recommendations
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 80Public
New with Solution Manager 7.1 SP 9
BW Reporting based on System Recommendations for note list
New option to paste note numbers into the selection screen
of the reporting as of SolMan 7.1 SP 9 for the query showing
results of System Recommendations.
1. Step: Activate the new option
2. Step: Paste the system names or the note numbers into
the new popup
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 81Public
Critical User Authorizations: Config Stores in CCDB
AUTH_CHECK_USER
User authority check store
AUTH_PROFILE_USER
User profile check store
AUTH_TRANSACTION_USER
User transaction check store
Example: Store Content of AUTH_PROFILE_USER
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 82Public
Critical User Authorizations: Customizing Store Content
CCDB Administration tool allows to customize those store contents
Call transaction CCDB to start CCDB
Administration tool
Navigate to tab “Technical Systems”
Select system and display stores relevant
for user critical authorizations
Navigate to tab “Customizing”
Create new customizing variant and adjust
it accordingly (by default only users with
SAP_ALL role are tracked)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 83Public
Critical User Authorizations: Analysis of user profiles
AUTH_PROFILE_USER: User profile check store in the Target System (reference) defines that no user is allowed
to have SAP_ALL profile
Validation Output: The Users which have critical authorizations in the system SI7 (compared system)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 84Public
Critical User Authorizations: Analysis of user authorizations
AUTH_CHECK_USER : User authorizations check store in the Target System (reference) defines that only certain
admin users are allowed to have debug authorizations
Validation Output: Users which have the critical debug authorizations in the system SD7 (compared system) can be
easily found
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 85Public
Critical User Authorizations: Analysis of user transactions
AUTH_TRANSACTION_USER: User transaction check store in the Target System (reference) defines that only
admin users are allowed to have authorizations for the transaction SM59
Validation Output: The Users which are not allowed to have the authorizations for Configuration RFC in the system
SD7 (compared system) can be easily found
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 86Public
RFC Hopping: Overview
Risk of RFC Hopping with RFC Destinations
Privilege Escalation
User impersonation
Bypass Network Firewalls
Hop through the whole system landscape (e.g. jump to a central system like the SolMan)
Countermeasure
Identify critical RFC Destinations across systems
Identify RFC Destinations to critical systems
ERP Prod
ABAP
CRM Prod
ABAP
SRM Dev
ABAP
SM59
Destination to CRM Prod with User ABC
Destination to CRM Prod with User XYZ
Destination to SRM Dev with User EWA
Destination to SRM Dev with User AWE
User Authorizations
User ABC with restricted permissions
User XYZ with SAP_ALL permissions
User Authorizations
User EWA with restricted permissions
User AWE with SAP_ALL permissions
Login as
User D12345
Jump as
User AWE
Jump as
User XYZ
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 87Public
RFC Hopping: Store RFCDES_TYPE_3_CHECK
RFCDES_TYPE_3_CHECK : For each RFC Destinations it is checked if the user provided in this RFC Destination
has critical authorizations and/or can be used for login
RFC Destination Logon Client and User
Result of RFC Destination
AnalysisDestination System
CV_USER_PROFILE_RESULT
CRITICAL_USER_PROFILE – User provided exists in destination System and has critical authorizations
OK_USER_NOT_IN_PROFILE_STORE - User provided exists in destination System but does not have
critical authorizations
OK_NO_USER_OR_PW_IN_RFCDEST - No user and/or no pw is stored in the destination
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 88Public
RFC Hopping: Target System to find all critical RFC Destinations
RFCDES_TYPE_3_CHECK : This Store has been reduced up to one record and defines the pattern to search all RFC
Destinations with critical status.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 89Public
RFC Hopping: Output with critical RFC Destinations
0TPL_0SMD_VCA2_NCOMPL_CI_REF : This report shows all the RFC Destinations with critical status. The critical user
authorizations could be customized via the AUTH_PROFILE_USER Store (by default the users with the profile
“SAP_ALL” is checked).
Validation Details: In the column “Comparison Value” you can find all the details on the critical RFC Destination. In our
example for the RFC Destination “PMIB4X001” which is created in the system B4X the user “PIRWBUSER” and the
password saved in the logon data. This user has the profile “SAP_ALL” assigned in the system B4X
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 90Public
RFC Hopping: Find all RFC Destinations pointing to a critical System
RFCDES_TYPE_3_CHECK : This Store has been reduced up to one record and defines the pattern to search all RFC
Destinations pointing to the System SI7.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 91Public
RFC Hopping: Output with the RFC Destinations pointing to a critical System
0TPL_0SMD_VCA2_CITEMS_REF: This Report displays validation results for all RFC Destinations.
Filter: Select filter value “Yes” for column “Compliance” to display only the RFC
Destinations pointing to the critical system.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 92Public
UI: Security Template
The Security Template:
Supports customer to have a head start when starting with
configuration validation towards security. It contains
suggestion for rules and values for a number of Config
Stores and can be used to create a target system
It‘s possible to add or remove Config Stores and to change
rules and values
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 93Public
Security Template: Examples of Store Definition
The definition means that the entry HOST=* which is the
default entry used in a system in case no message
server ACL is defined is validated as NON compliant.
MS_SECINFO
GW_SECINFO
SICF_SERVICES
This definition is to validate all lines that use only
parameters with the * as non compliant which would be
the same result as the validation of EhP1, see SAP note
1234799.
In a SAP system only the really needed
services for the SAP Internet
Communication Framework (ICF)
should be active.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 94Public
Security Template: Examples of Store Definition
The Password status should not be DEFAULT. The
user SAP* must exist in all clients and its password
must be changed. For the other users there is no
need to be existent in all clients.
STANDARD_USERS
ABAP_INSTANCE_PAHI
The definition covers parameters that are validated
also by the security optimization services (SOS).
The Regex for login/ticket_expiration_time means
less than 12 hours would be compliant
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 95Public
Target System Maintenance (7.1 SP10)
Save versions of compliance rules
Rule Repository
It‘s possible to save versions of a
compliance rule to track what has
been changed over the time.
It supports to create a rule repository
for reuse in other target systems.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 96Public
Weighted Validation (7.1 SP10)
Target System Maintenance - Maintain weight and description
Weight and Description
It is possible (but not necessary) to set a Weight per config item (Very High, High, Medium, and Low).
An additional description per item may be maintained. The description is also available in reporting.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 97Public
Weighted Validation (7.1 SP10)
Reporting Templates
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 98Public
Weighted Validation (7.1 SP10)
Reporting – items with weight and description
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 99Public
Weighted Validation (7.1 SP10)
Number of elements per weight
Example
Distribution of non-compliant items
per weights per technical system
(Initial View: Non-Compliant)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 100Public
Weighted Validation (7.1 SP10)
Cumulated risk factors per System Validation
If the cumulative weighting is
greater 1 then system is rated
red
19.5 > 1 RedFactors can be customized
#items*factor
Very High Items 18*1
High Items 9*0.1
Medium Items 12*0.05
Sum 19.5
Factors
If weights are not enough, you can
combine it with factors to get to an overall
result
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 101Public
Filtering notes provided by System Recommendation Reporting in SP10
Paste
Paste easily notes from the clipboard as
filter for system recommendation output
Paste notes from clipboard
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 102Public
Configuration Stores for SAP HANA in SP10
On Database Level
Store Groups
HDB_LEVEL
HDB_PARAMETER
On Host Level
Store Groups
HANA_HW_VALIDATION
HANA_IMDB_NAMESERVER
HANA_INI_FILES
HANA_SAPPROFILE_CONF
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 103Public
New Configuration Stores for SAP HANA in SP12
On Database Level
Store Group HANA-SECURITY
AUDIT_POLICIES
Contains HANA authentication policies
PASSWORD_BLACKLIST
Contains password patterns which
couldn’t be used
(only works with SYSTEM auth)
PUBLIC_USERS
HANA DB users and attributes
SEGREGATION_NATIVE_OBJECTS
Contains objects if the Segregation of Duties (SoD) constraint
concerning native objects is not met
SPECIAL_PRIVILIGES
User having special privileges like TRACE ADMIN, DATA ADMIN,
IMPORT, DELETE, INSERT, UPDATE
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 104Public
New Features of Configuration Validation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 105Public
New Features of Configuration Validation
Solution Manager release 7.1 SP10 7.1 SP12
Config Store with project attributes of ABAP Transports
Weighted Security Item Reporting
Alerts for expiring J2EE certificates
Additional house keeping features for CCDB (anti-aging)
X-Single Column Reporting for Configuration Validation
Config Store for SAP HANA (e.g. ini-files)
Bookmarks with variables for target and comparison system
Improved dynamic comparison lists
CCDB with navigation to other tools, X-search for config items
Dashboard supports drilldown into ConfigVal reporting
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 106Public
Further Information and Contact
Configuration Validation
Configuration Validation @ SDN
http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Overview
http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 107Public
Configuration Validation: Expert Guided Implementation“Training on the Job” at Its Best
Training, practical experience, remote consulting
Day 1 Day 2 Day 3-5
SAP expert explains step-by-step
configuration using training materials
Execution, 2-3 hours on the same day
Participants have direct access to an
SAP expert who directly supports
them remotely, if necessary, during the
execution
Empowering, Web session, 1-2 hours each morning
Participants execute demonstrated steps
within their own project, on their own
SAP Solution Manager software
Expertise on demand, during execution
More information on available EGI topics
and booking information can be found
here:
https://service.sap.com/expert-guided-implementation
Public
Security in Operations
Dashboards & Alerts
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 109Public
Management Dashboard
Designed for: IT Managers
Answers the question:
“What is the current status of my IT department?”
“Are there currently any major issues in the IT department?”
Scope:
Easy and effortless usage of SAP dashboard apps
Clear-cut overview of score zones in customer-tailored focus
Technology:
Management Dashboard Framework in SAP Solution Manager
based on SAP BusinessObjects Dashboards
Time horizon: Near real-time
https://service.sap.com/dashboards
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 110Public
Security in Operations – The Big Picture (1/2)
Management Dashboards
(Big screens on the wall)
Status Overview
Management View
Inbox / Alerts
(Workplace)Input / Work Items
Reporting & Drill Down
(Workplace)
Tools for analysis
and deeper insight
Incident Management
Guided Procedures
(Immediate Resolution)
Change Management
(Change Projects)
Workflows for Follow-Up
Legend:
Screens on the wall
Workplace
Follow-up Workflows
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 111Public
Security in Operations – The Big Picture (2/2)
Management Dashboards
Provide an overview on system landscape
status
For Security could also include the
progress of get-clean projects
Mainly used for quick status overview as
required by management and operations
Inbox of Work Items – used as trigger for action
For Security may contain
Snapshot spot checks (identified issues at time of check)
Security critical events (independent of time of check)
Incident Management
Guided Procedures
(Immediate Resolution)
Change Management
(Change Projects)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 112Public
Critical System Parameters
Target: System_Params
Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ,…
Management Dashboards – Security View
Monitoring
“Stay Clean”
Views
Monitoring
“Get Clean”
Projects
Monitoring
“Security Alerts”
Situation
Compliance
of Systems 50
SAP* / SAP_ALL
Target: SAP_Star-SAP_ALL
Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ,…
Compliance
of Systems 47
Missing Security HotNews
Target: Security_HotNews
Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ,…
Compliance
of Systems 22
3
28
Secure AS Gateway Config
Target: Gateway_Security_Project
Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ,…
Compliance
of Systems 7 13
System w. Security Alerts
Target: Security_Alerts
Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ,…
Compliance
of Systems 49 1
System w. Security Alerts
Target: Security_Alerts
Systems: PR1, PR2, PR3, PR4, DEX, DEY, DEZ,…
Compliance
of Systems
See C
onfig
ura
tion V
alid
atio
n b
ased
Ma
na
ge
me
nt D
ash
bo
ard
s fo
r Exa
mp
les
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 113Public
Big Picture: Reporting / Alerting / Management Dashboard
Management
Dashboard
Reporting
Configuration Validation Target Systems could be used in several areas
System
Monitoring /
Alerting
Configuration
Validation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 114Public
New with Solution Manager 7.1 SP 3: Security Dashboards
Personal Dashboard
WebDynpro ABAP Application MY_DASHBOARDThe personal dashboard apps show the validation results of the
comparison of selected systems with a target system.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 115Public
New with Solution Manager 7.1 SP 3: Security Dashboards
Dashboard Management
Proposal: Create individual dashboard blocks for
different KPIs and include them into a specific
security dashboard.
Define dashboards to be used
by others:
WebDynpro ABAP Applications
DASHBOARD_MANAGEMENT
and
GENERIC_DASHBOARD_VIEWER
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 116Public
E2E Alerting
It‘s possible to add a target system to E2E Alerting. Non-compliant items could then cause an
alert within the alert inbox (System alert: configuration validation)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 117Public
Consolidated Alert Overview – Short Introduction
The following information is shown in the Alert Inbox overview screen:
• Basic information, e.g.
− Issue Area, category, relevant system, current status etc.
• History information, e.g.
− How many alerts have been raised / Worst rating in the past / No. of status changes etc.
• Processing information, e.g.
− Processor name, current status (automatic confirmation, manual notification, incident etc.)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 118Public
Technical Monitoring – Alert Inbox
Personalized query for Security Configuration
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 119Public
Technical Monitoring – Alert Inbox
Drill-Down Reporting
Alert Inbox
Unexpected Assignment of SAP_ALL
Reporting / Drill-Down (e.g. via Configuration Validation)
Alerting based on
SAP EarlyWatch Alert
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 121Public
SAP EarlyWatch Alert Integration into Operation
You want to...
Get all system alerts in one place
Get access to SAP assistance
Why integrate EWA into operation?
Optimize system behavior
Reduce manual effort due to consolidated overview of critical EWA findings
Start mitigating measures directly out of the reported issue
Continuous system improvement by
leveraging EWA results
EWAEWA
EWA
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 122Public
EWA Results Now Available in Alert Inbox
Advantages
• EWA results are in one place, with customizable views
• No need to check EWA reports manually every week
• Recommendations and guidelines for alert resolution are in the same place
• Processing of alerts in inbox supported by integration with incident management, alert assignment etc.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 123Public
Alert Details and Metrics
Opening a specific alert displays the individual details of the alert
Mark a line to see how to resolve the issue
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 124Public
Alert Handling
The handling of alerts is supported by…
• Sending mail or SMS notifications
• Integration of Issue Management
• Assigning a person responsible to an alert
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 125Public
Use Case for EWA Security Alerts
Red Alert
Security Alert appears in
Alert Inbox
Green Rating
Problem is solved.
Next set of Alerts in Inbox
is green
Resolution
Follow the
recommendation. Assign
alerts to processor for
follow up and issue
resolution
Actions &
Recommendations
Alert Details recommends
actions to resolve the
alert, e.g. to implement a
SAP Note, to change the
passwords etc.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 126Public
Technical Details
Prerequisites
• Solution Manager system and connected managed systems with activated EWA
• Alert Inbox for EarlyWatch Alert is available with Solution Manger 7.1 SP05 onwards
Activation
• EWA integration into Alert Inbox is activated automatically. No manual configuration steps are required
• Currently, updates to the EWA Alert Inbox template are shipped via Support Packages. New template content
has to be activated manually. In the future it is planned that new content will be imported and activated
dynamically
Alerting based on
Security Audit Log
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 128Public
Overview
Prerequisites
• The Security Audit Log is activated on managed system using transaction SM19
• The “Security” monitor within the monitor set “SAP CCMS Monitor Template” is activated using transaction RZ20
Monitoring in general
http://sdn.sap.com/irj/sdn/monitoring
Security Monitor
http://help.sap.com/saphelp_nw70/helpdata/en/23/c9833b3bb1780fe10000000a11402f/frameset.htm
Activation
• Activate the corresponding alerts in the SAP Solution Manager
Defining User Alerts in the SAP Solution Manager
https://help.sap.com/saphelp_sm71_sp08/helpdata/en/3b/a8413599b244b6a03ac9d2a3bdaf2f/frameset.htm
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 129Public
Recommended Filter settings for the Security Audit Logaccording to blog http://scn.sap.com/message/14404056
1. Filter: Activate everything which is critical for all users '*' in all clients '*'.
You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM
anyway.
Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ.
If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT.
2. Filter: Activate everything for special user SAP* in all clients '*'
You cannot use a filter 'SAP*' because this would include the virtual user. However, you can use the special filter value 'SAP#*' instead.
3+4. Filter: Activate everything for other support and emergency users, e.g. 'SAPSUPPORT*' (SAP Support users) respective 'FF*'
(FireFighter) in all clients '*'.
5. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients.
This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports
(however in this case you can use another background user as well).
6. Filter: Activate everything for client '066'.
This client is not used anymore and can be deleted
(see http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).
7. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily
(see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).
8.-10. Filter: free for other project specific purpose
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 130Public
“Security” monitor within the monitor set
“SAP CCMS Monitor Template”
Alerting based on
Configuration Validation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 132Public
Setup – Configuration ValidationExample: Target System for critical authorization profile SAP_ALL
Create target system based on template
0SECN
Delete all other configuration stores
besides AUTH_PROFILE_USER
• Check the rule:
• for profile SAP_ALL
• and any user ‘*’
• the authorization assignment is
classified as “non compliant”
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 133Public
Setup – Notification ManagementWork Center Technical Administration
Notification Management maintains and notifies system users, business partners, and external users
Notification Management
Simple example, use „My
Notification Settings“ to add my
user to global recipient pool
In recipient lists, create
SAP_ALL_NOTIFICATION list and
add my user to it
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 134Public
Setup – Technical MonitoringStep 1-3: Prerequisites
Prerequisites: perform steps 1 – 3 which are not system specific
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 135Public
Setup – Technical MonitoringStep 4: Template Maintenance: Deriving a template and adding a target system
Metric Number of non-compliant items is non active. It is necessary to activate it.
Create template for the SAP basis version your system is running on
1. Mark Template
2. Create Custom Template
3. New template appears
1
2
3
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 136Public
Setup – Technical MonitoringStep 4: Add target System SAP_ALL to metric number of non-compliant items
Tab Metrics
click on Number of non-
compliant items
1. In tab data collection add
target system
2. in tab Metrics Check Active
3. Save button is at the top
1
2
3
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 137Public
Setup – Technical MonitoringStep 5: Define Scope
Choose a system
Next
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 138Public
Setup – Technical MonitoringStep 6: Setup Monitoring
1. Assign Template for Technical System
2. Apply and activate it
3. Configuration Managed Object is the next step
1 2 3
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 139Public
Configuration of Managed Object – Notification
Notification setting can be done here
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 140Public
Technical Monitoring – Alert InboxPersonalized query for Security Configuration
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 141Public
Guided Procedures for regular Tasks
You can create Guided Procedures for regular
tasks
Option to link Guided Procedures to alerts
Accessible from Technical Administration Work
Center via Guided Procedure Browser
Public
Security in Operations
Integration with GRC Process Control
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 143Public
Entering: SAP Process Control
SAP Process Control core features:
Documentation of regulations (external) and create, review and publish policies (internal)
Documentation of critical processes subject to regulations and policies
Documentation of the organizational units that are handling those processes
Documents control activities that are required to ensure that the processes are executed properly
Provides issue handling on exceptions with remediation plans to get back on the path
Provides automated monitoring for exceptions to target values
Goal: Keep a firm grip on critical processes by making them and their applicable regulations
and policies transparent, provide controls that are checking on proper conduct, test
controls for effectiveness
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 144Public
SAP GRC SolutionsOverall Picture
SAP GRC solutions
Manage
Monitor
AnalyzeDashboards &
Visualization
Interactive
AnalysisExploration Reports
KRIs Controls Transactions Privileges Events
Risk Compliance Audit Policy Access Exception
GRC for LoBs
IT Supply ChainSales andMarketing
Finance …
GRC for Industries
Ba
nk
ing
Uti
liti
es
Mfg
Oil &
Ga
s
…CP
G
Enterprise Applications
Legacy Apps
IT Infrastructure
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 145Public
Acce
ss
Ris
k
Man
ag
em
en
tIntegrated Governance Risk & Compliance – Example
Develop and
Package External
Content
Co
mp
lian
ce
Man
ag
em
en
tR
isk
Man
ag
em
en
t
Enterprise Risks
Responses
ReduceControlAvoidAccept Transfer
Regulations
ProcessIT Operations
Security Mgmt
Patching
Process Risks
Patch proc.
not followedValid
invoices not
entered
Access RisksUser can
enter vendor
& PO User can
enter invoices &
payments
Controls
Review of new
SAP Security
Notes
Standard
users & pass-
words
Review of
system
configuration
Monitor
Access
Status
Mitigate
Access
Violations
Policies
Update and roll out
strengthened
security policy
Fraud
SAP Process Control
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 146Public
#1: Policy Lifecycle Management
Create and Document the Policy
Review & Approve
the Policy
Publish & Distribute the Policy
MonitorPolicy
Effectiveness
Report on Policies
Key process steps in Policy Management
Centrally
documented and
defined in the
policy library
Workflow
support to
review and
approve policies
Determine the
relevant
recipients per
policy and
organization
Workflow support
to distribute
policies across
the organization
Receive
confirmation on
acknowledgement
of policies
Optional: adjust
policies to local
needs
Monitor policy
acknowledgement
Measure policy
understanding
using quizzes and
surveys
Monitor the policy
effectiveness
through policy
“quizzes” and
controls
“Out-of-the-box”
online reports on
policy and policy
status
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 147Public
Key features of Automated Monitoring Framework (AMF)
Monitors configurations and master data
Reconstructs past settings over monitored timeframe from Basis
logs assurance to catch even fleeting changes
Fall back on snapshots of monitored settings (if not using Basis
change logging)
SD credit checks can be configured
in many different ways which are
regularly fine-tuned by SAP
customers. AMF should raise a red
flag only if the overall configuration
varies from the list of acceptable
settings.
Change
Analysis
Arithmetic calculations on query results: date differences, amount %
Nested logical expressions — ANDs and ORs
Built-in currency conversion (leverages basic currency support)
Grouping and aggregation
Define queries in GRC product front-end, no changes to backend
content or code
Search for relevant backend tables, pick fields and conditions, join
related tables, and so on
($Today – DateDue) > 5
(CreditCheck = True AND CreditLimit
NULL)
(NewAmt – OldAmt)/OldAmt < 0.1
Total sales by sales person
Find sales to one-time customers
grouped by sales person where the
total exceeds the limit
Interactively
Configured
Queries
Business-User
Configurable
Rules
Process Control (PC) 10.0 Example
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 148Public
Search for available reports in backend systems
Bind values such as date ranges and company codes to report
parameters
Configure the invocation completely within GRC applications — no
changes to backend systems or use of variants
Find qualified ABAP reports,
discover their parameters, schedule
them, and pass parameter values at
run-time (no variants in backend)
Leverage
ABAP Report
Content
Web-services-based query interface and integration enable
connectivity to any query engine
Partner or customer might need to adapt the web services interface
Use defined web service interface to
invoke suitable queries in non-SAP
systems, e.g. Greenlight
Access to
Other Query
Engines
Some systems such as CISCO’s SONA, ArcSight (HP) log analysis
systems and Oversight’s fraud detection software offer more
specialized monitoring capabilities
Such systems can communicate problems to PC as they are
detected, and PC can evaluate them via the rule engine
Issues can be created, routed, and remediation documented
CISCO SONA can detect
inappropriate use of corporate
networks, security breaches,
and so on
Oversight can detect fraud patterns
in ERP transactions
Inbound
Events
Key features of Automated Monitoring Framework (AMF), cont.
Process Control (PC) 10.0 Example
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 149Public
Other features of Automated Monitoring Framework (AMF)
SAP NetWeaver PI is SAP’s preferred integration platform
Can be used to query databases using ODBC/JDBC
Can connect to any application, but typically requires programming
— at least to enable connectivity (but not necessarily for every
rule/data source)
Monitoring legacy or proprietary
systems is sometimes necessary,
especially for very industry-specific
or niche software
SAP
NetWeaver PI
Access Control API enables PC business rule to pass full criteria for
access risk reporting
API enables reporting access permission violations, not just
segregation of duties violations
Drill-down from PC to AC from evaluation details to access risk
Any access risk analysis criteria that
can be defined directly in AC is now
also available in the data source
and business rule definition in PC
Access
Control
Enhancement
SAP Business Warehouse is used by many customers to extract and
analyze transaction information in many dimensions
Sometimes monitoring risks and compliance on the basis of BI
analysis is the optimal strategy
SAP SCPM delivers a lot of
analytical content to measure supply
chain performance. BW Queries on
this content can quickly find problem
areas such as sole-sourced
supplies, stock-out durations, etc.
BW Query
Process Control (PC) 10.0 Example
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 150Public
Monitoring: query-driven and event-driven
SAP Process Control
Even
t d
riven
Qu
ery
driv
en
Process Control can extract
data via queries or by waiting for
events, triggering requests
A scheduler can regularly check
for changes
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 151Public
Monitoring security with SAP Process Control: overall architecture
SAP Process Control
Even
t d
riven
Qu
ery
driv
en
Checking compliance with
security policies directly,
such as SAP Security Patch
status or recommended security
settings, is inefficient and highly
complex
Direct connections to all
backend systems would be
required with a Plug-In Add-On
needed as well
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 152Public
Monitoring security with SAP Process Control: overall architecture
SAP Process ControlPolicy Management
Automated MonitoringSAP Query
BW Query
SAP Solution ManagerSystem Recommendations
Configuration Validation
Qu
ery
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 153Public
Monitoring security with SAP Process Control: overall architecture
SAP Process ControlPolicy Management
Control Testing & Workflows
Automated MonitoringSAP Query,
BW Query
SAP Solution ManagerSystem Recommendations
Configuration Validation
Qu
ery
2
1
SAP
OSS
4
53
6
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 154Public
The Diagnostics Core Diagnostic Infrastructure
InfoCube 0SMD_CA02
Configuration and Change Database
(CCDB)
Solution Tool
Plugins (ST-A/PI)
Diagnostics
AgentsExtractor
Framework once a day
InfoCube: 0SMD_CA02
E2E Change Analysis II
Extractor Framework(EFWK)Hourly
BI Reporting
Change Reporting – Browse CCDB data
E2E Change Analysis – Top-Down View on Changes
Managed System
CCDB data view
ABAP based
installations
Non-ABAP based
installations
Drilldown navigation
2
1The extraction of the
data is scheduled as
soon as a “Managed
System Configuration”
has been performed for
a system.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 155Public
Configuration Validation
Virtual InfoProvider: 0SMD_VCA1
Configuration and
Change Database
( CCDB )
ABAP based
installations
Solution Tool
Plugins
JAVA based
installations
Diagnostics
AgentsExtractor Framework (EFWK)
Once a day
Solution Manager EHP1
Configuration Validation Reporting
DB Table Target System Maintenance
Virtual
InfoProvider
0SMD_VCA1
Function Module
Configuration Validation
Change Reporting
Copy
Customer defined system
configurations / baselines
Existing system configurations
Manual maintenance of copied
configuration data
Interactive BI based Reporting
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 156Public
GRC Process Control in the Business Client
http://<server>:8002/nwbc
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 157Public
Data Source: BW query of Configuration Validation
Copy of existing query
with fixed values for
mandatory parameters
Info provider of
Configuration Validation
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 158Public
Business Explorer – Query DesignerBExQueryDesignerStarter.exe
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 159Public
Business Explorer – Query DesignerSet fixed values for mandatory parameters in copied query
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 160Public
Business Rule triggered by non-compliant item
162© 2015 SAP SE or an SAP affiliate company. All rights reserved.
FeedbackPlease complete your session evaluation for
SEC202.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 162Public
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 163Public
SAP TechEd OnlineContinue your SAP TechEd education after the event!
http://sapteched.com/online
Access replays of keynotes, Demo Jam, SAP TechEd live interviews, select lecture sessions, and more!
Hands-on replays
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 164Public
Further Information
Related SAP TechEd sessions:
SEC102 – Find the Hackers in Your Landscape with SAP Enterprise Threat Detection
SEC104 – SAP NetWeaver: Benefit from New and Enhanced Security Features
SEC202 – Cross-System Security Validation Using SAP Solution Manager
SEC204 – Implementing Security Notes from SAP: Tools and Best Practices
SEC264 – Secure ABAP Development – One Bug Is Enough to Put Your Application at Risk
SAP Public Web
https://scn.sap.com/docs/DOC-60424 – Paper “Securing Remote Function Calls (RFC)”
https://scn.sap.com/docs/DOC-17149 – Paper “Secure Configuration of SAP NetWeaver Application Server ABAP”
https://scn.sap.com/community/security – SCN Security Community
https://support.sap.com/securitynotes – SAP Security Notes
https://support.sap.com/sos – SAP Security Optimization Services
https://service.sap.com/securityguide – SAP Security Guides
SAP Education and Certification Opportunities
www.sap.com/education – ADM900, ADM940, ADM950, ADM960: SAP System Administration - User and Security
Watch SAP TechEd Online
www.sapteched.com/online
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 165Public
Thank you
Frank Buchholz
SAP Active Global Support – Security Services
Birger Toedtmann
SAP Consulting – Security
AppendixABAP content of Configuration Validation available with SAP Solution Manager 7.1
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 167Public
CCDB Content Overview of an ABAP system
Software Configuration
ABAP Instance Parameter
Database Configuration
Operating System Configuration
Business Warehouse Configuration
RFC Destinations Configuration
System Change Option Configuration
Security Configuration
Critical user authorizations
Change Reporting:
Content grouped by ‚Alias / Sub-alias‘
Examples of content areas:
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 168Public
Configuration Stores dealing with Software Configuration
• SAP_KERNEL
SAP Kernel release and patch information
• ABAP_COMP_RELEASE
Software component release information
• ABAP_COMP_SPLEVEL
Software component and support package
information
• ABAP_NOTES
Notes applied via SNOTE
• ABAP PACKAGES
Installed ABAP software packages
• ABAP_SWITCH_FRAMEWORK
Active switches
• ABAP_TRANSPORT
Transports created and/or imported
Available with ST 710 SP12:
• LANDSCAPE
Contains a few landscape information (product and product version)
• MESSAGE_SERVER_PORT
• Contains message server specific port information
• SPAM_VERSION
Contains SPAM-Release with version and patch number
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 169Public
Configuration Stores dealing with ABAP Instance Parameter
• ABAP_INSTANCE_PAHI
Active parameter of an ABAP instance
• ABAP_DEFAULT_PROFILE,
ABAP_INSTANCE_PROFILE,
ABAP_START_PROFILE
Profile files used by an ABAP instance
• TRANSPORT_TOOL
Contains the custom transport
settings (available 710 ST SP10).
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 170Public
Configuration Stores dealing with Database Configuration
• DB_INFO
DBSL release information of an SAP Kernel
• Database dependent Config Stores
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 171Public
Configuration Stores dealing with Operating System Configuration
• ENV_VARIABLES
Shell environment variables of user <SID>ADM
• PHYSICAL_HOST
Relation physical host to virtual host
• saposcol
CPU, memory, and operating system patch information
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 172Public
Configuration Stores dealing with Business Warehouse Configuration
• ROIDOCPRMS
BW request transfer parameters
• RSADMIN, RSADMINA, RSADMINC, RSADMINS
Common BW configuration
• UPC_DARK, UPC_DARK2
Specific BW configuration
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 173Public
Configuration Stores dealing with RFC Destinations Configuration
• RFCDES
All RFC destinations of a system; all attributes in one column
• RFC_TYPE_[3,G,H,L,T]
RFC destinations per type, each attribute is a column
• RFC_DES_TYPE_3_CHECK (Security)
Is a user with critical authorizations used in an RFC destination?
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 174Public
Configuration Stores dealing with System Change Configuration
• CLIENTS
System change settings per client
• COMPONENTS
System change settings per component
• GLOBAL
System change settings global
• NAMESPACES
System change settings per namespace
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 175Public
Configuration Stores dealing with Security Configuration
• GW_REGINFO, GW_SECINFO, MS_SECINFO
Gateway and message server access control lists
• STANDARD_USERS
ABAP standard user with password
and lock status
• PSE_CERT
Certifications with validity information
• TWPSSO2ACL, RFCSYSACL, SNCSYSACL
Trusted-RFC, Trusted-SNC and
Trusted-„Logon Tickets“ information
• SICF_SERVICES
Active Web Services
• SESSION_MANAGEMENT
Contains the new ABAP session management setting
Available with ST 710 SP12:
• USER_PASSWD_HASH_USAGE
Distribution of password hashes of different types
• TDDAT and TDDAT_TABLES
Tables and assigned authorization classes
• AUDIT_CONFIGURATION
Contains the audit log file configuration
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 176Public
Configuration Stores dealing with Critical User Authorizations
Examples:
• AUTH_COMB_CHECK_[USER|ROLE]
Users or roles with special authorization
combinations
• AUTH_PROFILE_USER
User profile check store
• AUTH_TRANSCATION_USER
User transaction check store
Additional in 7.10 ST10:
• AUTH_ROLE_USER
Role to user relationship
• AUTH_USER_TYPES
User to user type relationshipMost of these stores are customizable to adapt their content
to the business needs.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 177Public
Examples - CCDB Content for a J2EE system
ADOBE DOCUMENT SERVICES
ADS
BOOTSTRAP
DBPOOL
HTTP
ICM
IGS
J2EE
J2EE Engine
J2EE Software
J2EE Transports
JSTARTUP
JVM Parameters
KERNEL
LIBRARY
LOG
LV
OS
SDM
SECURITY
SERVICE
SLD
START Parameters
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 178Public
Configuration stores dealing with J2EE software components
Alias J2EE Software
• J2EE_COMP_SPLEVEL
J2EE software components
containing: Component, release,
extended release, and patch level
• SAP_J2EEDeployedSCService
Deployed object per component
The content of those config stores is
retrieved from SLD.
Starting with SLD Release >= 7.10
the default setting has been changed
in a way that these data is no longer
processed. However, it's possible to
turn on the processing of these data
in newer releases.
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 179Public
Configuration stores dealing with J2EE parameters
Alias J2EE
• SAP_J2EEClusterNode
Exists per server or dispatcher node.
It‘s based on MBean query
containing: VM parameters, system
properties, and system infos (type
XML).
• version.txt
Specifies the version of the system.
It‘s written at start up time of instance
(type text).
• instance.properties.vmprop
Contains VM parameter (type
property)
overlaps with config store
instance.properties at Alias JVM
Parameters
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 180Public
New Config Stores for Technical System of type J2EE in SP10
J2EE_PSE_CERT
Contains the current
certificates of the J2EE
instances
Profile
Start and default
profile
CTC config stores
CTC template changes
at instances level now
available as config
stores
J2EE certificates
J2EE start profile J2EE instance profile
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 181Public
Configuration stores dealing with J2EE UME settings
Alias J2EE ENGINE
• com.sap.security.core.ume.service
Contains UME Properties for the Security Policy
(Example uses element search for parameter: ume.logon.security_policy.auto_unlock_time)
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 182Public
Further Configuration Stores impacting J2EE security
Source CTC
• servlet_jsp
• http
• authschemes.xml.file
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 183Public
Config Stores for Technical Systems supplied via CTS+ in SP10
Transports & Transport Tool
config stores for
SAP HANA
Business Object
© 2015 SAP SE or an SAP affiliate company. All rights reserved. 184Public
© 2015 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate
company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.
Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its
affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and
services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as
constituting an additional warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop
or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future
developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time
for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-
looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place
undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.